C# – Add resources to native executable file with UpdateResource

When I developed my tool YM Login BG for changing background of YM Login Dialog, I had a chance to work more with resource section of a compiled executable file. To make this tool, there are two steps I must pass.
– I must insert a bitmap image into Bitmap resource section of file.
– I must somehow insert a new control into login dialog. This control is just the background of the dialog.

1. Use ResHacker
To accomplish these two steps, we can use ResHacker http://angusj.com/resourcehacker/ to add bitmap and control. To add bitmap, use ResHacker to open executable file, browse to Bitmap branch, on the menu Action, choose “Add a new Resource”

Adding control to dialog is almost same, browse to Dialog branch, choose which dialog we want to edit, add control and press Compile Script to save all information

So it’s pretty simple when we have ResHacker in hand. But I would like to run this progress completely automatically. That means I just need to choose an image and click to finish the remaining steps. Therefore I should use some APIs which are relevant to resource of an executable file.

2. Programming
General, to add,edit,replace a resource to an assembly we must call 3 APIs functions: BeginUpdateResource, UpdateResource and EndUpdateResource. They must be called in order to get the handle of the target, edit it and save all changes. Their signatures in c# are below

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr BeginUpdateResource(string pFileName,
   [MarshalAs(UnmanagedType.Bool)]bool bDeleteExistingResources);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool UpdateResource(IntPtr hUpdate, uint lpType, uint lpName, ushort wLanguage, byte[] lpData, uint cbData);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool EndUpdateResource(IntPtr hUpdate, bool fDiscard);

For example if we want to add a bitmap to resource of an executable file, we should write like this

IntPtr ipTarget = Win32API.BeginUpdateResource(strFileName, false);
if (Win32API.UpdateResource(ipTarget, Win32API.RT_BITMAP, 41713, 1033, baRes, (uint)baRes.Length))
{
	Win32API.EndUpdateResource(ipTarget, false);
	Console.WriteLine("Update successfully");
}

The strFileName is the path to target file which we want to add,replace or edit resource. baRes is the byte array of bitmap file. Please pay attention that this byte array is not the complete byte array of bitmap image. We must eliminate the first 14 bytes header of bitmap before adding it. Otherwise your bitmap will be not correctly handled. The baRes was constructed as below

byte[] baBMP = File.ReadAllBytes(strBMPPath);
byte[] baRes = new byte[baBMP.Length - 14];
Buffer.BlockCopy(baBMP, 14, baRes, 0, baRes.Length);

The argument wLanguage is the LangID of resource. In my example above, I used hard-code but if you want a variable way then you can get the LangID as below

CultureInfo ciInfo = new CultureInfo("en-US");
ushort uLcid = (ushort)ciInfo.LCID;

The main idea is unchanged when we want to read, replace information of a dialog. We just need to call some more APIs to load resource into memory and read it out.

byte[] baData = {
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x02, 0x54, 0xC8, 0xFF,
	0xFE, 0xFF, 0x3B, 0x01, 0x81, 0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x82, 0x00, 0xFF, 0xFF,
	0xF1, 0xA2, 0x00, 0x00, 0x00, 0x00
};

// Load the DLL/EXE without executing its code
IntPtr ipModule = Win32API.LoadLibraryEx(strFileName, IntPtr.Zero, Win32API.LOAD_LIBRARY_AS_DATAFILE);
if (ipModule != IntPtr.Zero)
{
	// Find the group resource which lists its images
	IntPtr ipResInfo = Win32API.FindResource(ipModule, 929, Win32API.RT_DIALOG);
	if (ipResInfo != IntPtr.Zero)
	{
		uint nSizeOfResource = Win32API.SizeofResource(ipModule, ipResInfo);
		IntPtr ipResData = Win32API.LoadResource(ipModule, ipResInfo);
		if (ipResData != IntPtr.Zero)
		{
			byte[] baTemp = new byte[nSizeOfResource + baData.Length];
			IntPtr ipMemorySource = Win32API.LockResource(ipResData);
			Marshal.Copy(ipMemorySource, baTemp, 0, (int)nSizeOfResource);
			for (int nIndex = (int)nSizeOfResource; nIndex < baTemp.Length; nIndex++)
			{
				baTemp[nIndex] = baData[nIndex - nSizeOfResource];
			}
			baTemp[0x10] = (byte)(1 + baTemp[0x10]);
			IntPtr ipTarget = Win32API.BeginUpdateResource(strFileName, false);
			if (Win32API.UpdateResource(ipTarget, Win32API.RT_DIALOG, 929, 1033, baTemp, (uint)baTemp.Length))
			{
				Win32API.EndUpdateResource(ipTarget, false);
				Console.WriteLine("Update successfully");
			}
			else
			{
				Console.WriteLine("Update false");
			}

		}
		else
		{
			Console.WriteLine("Could not load login dialog");
		}
	}
	else
	{
		Console.WriteLine("Could not locate login dialog");
	}
}
else
{
	Console.WriteLine("Could not load dll");
}

I think it’s very simple to understand the code. For a sample project you can download at following link. “Add,Replace,Edit resource of an executable file with C#“.

YM Login BG

The program YM Login BG allows you to change the background of login dialog of yahoo messenger to make it more beautiful. You just need to choose a bitmap image and press apply and then you will have an interesting background on login dialog. If you don’t like the background anymore just press restore ym. The tool will restore the backup file for you.

* Requirements : .NET Framework 2.0
* Version: 1.0.0.0
* Supported version of Yahoo Messenger 10 and 9
o Windows 32-bit and 64-bit
* All comments for this tool. Post directly below.

NOTE: If this tool doesn’t work with your system, post here your errors.

LINK DOWN: http://hintdesk.com/Web/Tool/YM%20Login%20BG.zip

HISTORY:

* [1.0.0.0] : Beta Version

SCREENSHOT

Webmaster – Be careful when posting example of phishing site

Days ago I posted a small blog to demonstrate about desktop phishing I built a clone login site of Yahoo and host in my site hintdesk.com. Today when I log into Google Webmaster Tools to check out back links to my site I received an email from Google states that

We have begun showing a warning page to users who visit this site in certain browsers that receive anti-phishing data from Google, as well as users redirected to this site from various Google properties.

Below are one or more example URLs on your site which may be part of a phishing attack:

http://hintdesk.com/Web/Tmp/login_verify2.htm

Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://hintdesk.com/Web/Tmp/login_verify2.htm

We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site.

When I go to that link, I saw this announcement

This is a very bad, bad information for my sites because if I do not react immediately, after some days my site will be listed into dangerous site and people will receive a warning when accessing my site. That must be bad impression. So be careful when demonstrate a phishing website, do not host any link relating to phishing on our site. Just take some snapshots and delete it immediately after using.

DeReactor – A deobfuscator for .net reactor

.Net Reactor is a popular packer for .Net. It provides a lot of features to protect the source code from decompiling. One of them is the obfuscation. This tool DeReactor will help you to deobfuscate the assembly after unpacking. Please take a note that this tool is not an unpacker. You must unpack manually before using this tool to deobfuscate.

After deobfuscate, a patched assembly will be saved at the same folder of the application. Use Reflector to see result.

This tool will be updated soonly with more functions. Now it’s on BETA version. Use it on your risk. I’ll do it when I have more time.

  • Version: 1.0.0.0
  • Supported Version of Dotfuscator
    • may be all
  • Want more functions. Post a comment directly under.

NOTE:

  • If this tool doesn’t work with your packed assembly, send it to me. DO NOT blame me if this one doesn’t work. I’m just a newbie.

LINK DOWN: When you want to post this tool to somewhere. Please post url to my site, that keeps update for this tool when you do that.

Link down: DeReactor

HISTORY:

  • [1.0.0.0] : BETA Version.

SCREENSHOT